Bug #688730 “FTBFS with FORTIFY_SOURCES” : Bugs : htmldoc package : Ubuntu

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2010-12-10:

#1

Download full text (8.9 KiB)

:~/src/build-dir/htmldoc-1.8.27/doc$ gdb ../htmldoc/htmldoc
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc...done.
(gdb) run --datadir .. --strict --verbose --batch htmldoc.book -f htmldoc.ps
Starting program: /home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc --datadir .. --strict --verbose --batch htmldoc.book -f htmldoc.ps
[Thread debugging using libthread_db enabled]
INFO: Reading intro.html...
INFO: Reading 1-install.html...
INFO: Reading 2-starting.html...
INFO: Reading 3-books.html...
INFO: Reading 4-cmdline.html...
INFO: Reading 5-cgi.html...
INFO: Reading 6-htmlref.html...
INFO: Reading 7-guiref.html...
INFO: Reading 8-cmdref.html...
INFO: Reading a-license.html...
INFO: Reading b-book.html...
INFO: Reading c-relnotes.html...
INFO: Reading d-compile.html...
*** buffer overflow detected ***: /home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x50)[0x5f8990]
/lib/libc.so.6(+0xe488a)[0x5f788a]
/lib/libc.so.6(__strcpy_chk+0x44)[0x5f6c04]
/home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc[0x8077f17]
/home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc[0x808e337]
/home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc[0x8062a54]
/lib/libc.so.6(__libc_start_main+0xe7)[0x529ce7]
/home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc[0x804d8f1]
======= Memory map: ========
00110000-0012c000 r-xp 00000000 08:03 1310896 /lib/ld-2.12.1.so
0012c000-0012d000 r--p 0001b000 08:03 1310896 /lib/ld-2.12.1.so
0012d000-0012e000 rw-p 0001c000 08:03 1310896 /lib/ld-2.12.1.so
0012e000-0012f000 r-xp 00000000 00:00 0 [vdso]
0012f000-00173000 r-xp 00000000 08:03 1314308 /lib/libssl.so.0.9.8
00173000-00174000 r--p 00044000 08:03 1314308 /lib/libssl.so.0.9.8
00174000-00177000 rw-p 00045000 08:03 1314308 /lib/libssl.so.0.9.8
00177000-002a9000 r-xp 00000000 08:03 1314307 /lib/libcrypto.so.0.9.8
002a9000-002b1000 r--p 00131000 08:03 1314307 /lib/libcrypto.so.0.9.8
002b1000-002c0000 rw-p 00139000 08:03 1314307 /lib/libcrypto.so.0.9.8
002c0000-002c3000 rw-p 00000000 00:00 0
002c3000-003d7000 r-xp 00000000 08:03 3408816 /usr/lib/libX11.so.6.3.0
003d7000-003d8000 r--p 00113000 08:03 3408816 /usr/lib/libX11.so.6.3.0
003d8000-003da000 rw-p 00114000 08:03 3408816 /usr/lib/libX11.so.6.3.0
003da000-003db000 rw-p 00000000 00:00 0
003db000-003fe000 r-xp 00000000 08:03 1310812 /lib/libpng12.so.0.44.0
003fe000-003ff000 r--p 00022000 08:03 1310812 /lib/libpng12.so.0.44.0
003ff000-00400000 rw-p 00023000 08:03 1310812 /lib/libpng12.so.0.44.0
00400000-00413000 r-xp 00000000 08:03 1310780 /lib/libz.so.1.2.3.4
00413000-00414000 r--p 00012000 08:03 1310780 ...

:~/src/build-dir/htmldoc-1.8.27/doc$ gdb ../htmldoc/htmldoc
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc...done.
(gdb) run --datadir .. --strict --verbose --batch htmldoc.book -f htmldoc.ps
Starting program: /home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc --datadir .. --strict --verbose --batch htmldoc.book -f htmldoc.ps
[Thread debugging using libthread_db enabled]
INFO: Reading intro.html...
INFO: Reading 1-install.html...
INFO: Reading 2-starting.html...
INFO: Reading 3-books.html...
INFO: Reading 4-cmdline.html...
INFO: Reading 5-cgi.html...
INFO: Reading 6-htmlref.html...
INFO: Reading 7-guiref.html...
INFO: Reading 8-cmdref.html...
INFO: Reading a-license.html...
INFO: Reading b-book.html...
INFO: Reading c-relnotes.html...
INFO: Reading d-compile.html...
*** buffer overflow detected ***: /home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc terminated
======= Backtrace: =========
/lib/libc.so.6(__fortify_fail+0x50)[0x5f8990]
/lib/libc.so.6(+0xe488a)[0x5f788a]
/lib/libc.so.6(__strcpy_chk+0x44)[0x5f6c04]
/home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc[0x8077f17]
/home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc[0x808e337]
/home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc[0x8062a54]
/lib/libc.so.6(__libc_start_main+0xe7)[0x529ce7]
/home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc[0x804d8f1]
======= Memory map: ========
00110000-0012c000 r-xp 00000000 08:03 1310896    /lib/ld-2.12.1.so
0012c000-0012d000 r--p 0001b000 08:03 1310896    /lib/ld-2.12.1.so
0012d000-0012e000 rw-p 0001c000 08:03 1310896    /lib/ld-2.12.1.so
0012e000-0012f000 r-xp 00000000 00:00 0          [vdso]
0012f000-00173000 r-xp 00000000 08:03 1314308    /lib/libssl.so.0.9.8
00173000-00174000 r--p 00044000 08:03 1314308    /lib/libssl.so.0.9.8
00174000-00177000 rw-p 00045000 08:03 1314308    /lib/libssl.so.0.9.8
00177000-002a9000 r-xp 00000000 08:03 1314307    /lib/libcrypto.so.0.9.8
002a9000-002b1000 r--p 00131000 08:03 1314307    /lib/libcrypto.so.0.9.8
002b1000-002c0000 rw-p 00139000 08:03 1314307    /lib/libcrypto.so.0.9.8
002c0000-002c3000 rw-p 00000000 00:00 0 
002c3000-003d7000 r-xp 00000000 08:03 3408816    /usr/lib/libX11.so.6.3.0
003d7000-003d8000 r--p 00113000 08:03 3408816    /usr/lib/libX11.so.6.3.0
003d8000-003da000 rw-p 00114000 08:03 3408816    /usr/lib/libX11.so.6.3.0
003da000-003db000 rw-p 00000000 00:00 0 
003db000-003fe000 r-xp 00000000 08:03 1310812    /lib/libpng12.so.0.44.0
003fe000-003ff000 r--p 00022000 08:03 1310812    /lib/libpng12.so.0.44.0
003ff000-00400000 rw-p 00023000 08:03 1310812    /lib/libpng12.so.0.44.0
00400000-00413000 r-xp 00000000 08:03 1310780    /lib/libz.so.1.2.3.4
00413000-00414000 r--p 00012000 08:03 1310780    /lib/libz.so.1.2.3.4
00414000-00415000 rw-p 00013000 08:03 1310780    /lib/libz.so.1.2.3.4
00415000-00433000 r-xp 00000000 08:03 3408981    /usr/lib/libjpeg.so.62.0.0
00433000-00434000 r--p 0001d000 08:03 3408981    /usr/lib/libjpeg.so.62.0.0
00434000-00435000 rw-p 0001e000 08:03 3408981    /usr/lib/libjpeg.so.62.0.0
00435000-00445000 r-xp 00000000 08:03 3438433    /usr/lib/libfltk_images.so.1.1
00445000-00446000 r--p 0000f000 08:03 3438433    /usr/lib/libfltk_images.so.1.1
00446000-00447000 rw-p 00010000 08:03 3438433    /usr/lib/libfltk_images.so.1.1
00447000-004ed000 r-xp 00000000 08:03 3438430    /usr/lib/libfltk.so.1.1
004ed000-004ee000 ---p 000a6000 08:03 3438430    /usr/lib/libfltk.so.1.1
004ee000-004f0000 r--p 000a6000 08:03 3438430    /usr/lib/libfltk.so.1.1
004f0000-004f4000 rw-p 000a8000 08:03 3438430    /usr/lib/libfltk.so.1.1
004f4000-004f7000 rw-p 00000000 00:00 0 
004f7000-00511000 r-xp 00000000 08:03 1313362    /lib/libgcc_s.so.1
00511000-00512000 r--p 00019000 08:03 1313362    /lib/libgcc_s.so.1
00512000-00513000 rw-p 0001a000 08:03 1313362    /lib/libgcc_s.so.1
00513000-0066a000 r-xp 00000000 08:03 1311040    /lib/libc-2.12.1.so
0066a000-0066b000 ---p 00157000 08:03 1311040    /lib/libc-2.12.1.so
0066b000-0066d000 r--p 00157000 08:03 1311040    /lib/libc-2.12.1.so
0066d000-0066e000 rw-p 00159000 08:03 1311040    /lib/libc-2.12.1.so
0066e000-00671000 rw-p 00000000 00:00 0 
00671000-00686000 r-xp 00000000 08:03 1311244    /lib/libpthread-2.12.1.so
00686000-00687000 ---p 00015000 08:03 1311244    /lib/libpthread-2.12.1.so
00687000-00688000 r--p 00015000 08:03 1311244    /lib/libpthread-2.12.1.so
00688000-00689000 rw-p 00016000 08:03 1311244    /lib/libpthread-2.12.1.so
00689000-0068b000 rw-p 00000000 00:00 0 
0068b000-0068d000 r-xp 00000000 08:03 1311043    /lib/libdl-2.12.1.so
0068d000-0068e000 r--p 00001000 08:03 1311043    /lib/libdl-2.12.1.so
0068e000-0068f000 rw-p 00002000 08:03 1311043    /lib/libdl-2.12.1.so
0068f000-006a7000 r-xp 00000000 08:03 3415823    /usr/lib/libxcb.so.1.1.0
006a7000-006a8000 r--p 00017000 08:03 3415823    /usr/lib/libxcb.so.1.1.0
006a8000-006a9000 rw-p 00018000 08:03 3415823    /usr/lib/libxcb.so.1.1.0
006a9000-006cd000 r-xp 00000000 08:03 1311044    /lib/libm-2.12.1.so
006cd000-006ce000 r--p 00023000 08:03 1311044    /lib/libm-2.12.1.so
006ce000-006cf000 rw-p 00024000 08:03 1311044    /lib/libm-2.12.1.so
006cf000-007ae000 r-xp 00000000 08:03 3408838    /usr/lib/libstdc++.so.6.0.14
007ae000-007b2000 r--p 000de000 08:03 3408838    /usr/lib/libstdc++.so.6.0.14
007b2000-007b3000 rw-p 000e2000 08:03 3408838    /usr/lib/libstdc++.so.6.0.14
007b3000-007ba000 rw-p 00000000 00:00 0 
007ba000-007cc000 r-xp 00000000 08:03 3408116    /usr/lib/libXft.so.2.1.13
007cc000-007cd000 r--p 00011000 08:03 3408116    /usr/lib/libXft.so.2.1.13
007cd000-007ce000 rw-p 00012000 08:03 3408116    /usr/lib/libXft.so.2.1.13
007ce000-007fb000 r-xp 00000000 08:03 3411065    /usr/lib/libfontconfig.so.1.4.4
007fb000-007fc000 r--p 0002c000 08:03 3411065    /usr/lib/libfontconfig.so.1.4.4
007fc000-007fd000 rw-p 0002d000 08:03 3411065    /usr/lib/libfontconfig.so.1.4.4
007fd000-007ff000 r-xp 00000000 08:03 3409333    /usr/lib/libXinerama.so.1.0.0
007ff000-00800000 r--p 00001000 08:03 3409333    /usr/lib/libXinerama.so.1.0.0
00800000-00801000 rw-p 00002000 08:03 3409333    /usr/lib/libXinerama.so.1.0.0
00801000-00803000 r-xp 00000000 08:03 3410000    /usr/lib/libXau.so.6.0.0
00803000-00804000 r--p 00001000 08:03 3410000    /usr/lib/libXau.so.6.0.0
00804000-00805000 rw-p 00002000 08:03 3410000    /usr/lib/libXau.so.6.0.0
00805000-00809000 r-xp 00000000 08:03 3409246    /usr/lib/libXdmcp.so.6.0.0
00809000-0080a000 r--p 00003000 08:03 3409246    /usr/lib/libXdmcp.so.6.0.0
0080a000-0080b000 rw-p 00004000 08:03 3409246    /usr/lib/libXdmcp.so.6.0.0
0080b000-0087c000 r-xp 00000000 08:03 3408303    /usr/lib/libfreetype.so.6.6.0
0087c000-00880000 r--p 00070000 08:03 3408303    /usr/lib/libfreetype.so.6.6.0
00880000-00881000 rw-p 00074000 08:03 3408303    /usr/lib/libfreetype.so.6.6.0
00881000-00889000 r-xp 00000000 08:03 3417614    /usr/lib/libXrender.so.1.3.0
00889000-0088a000 r--p 00007000 08:03 3417614    /usr/lib/libXrender.so.1.3.0
0088a000-0088b000 rw-p 00008000 08:03 3417614    /usr/lib/libXrender.so.1.3.0
0088b000-008af000 r-xp 00000000 08:03 1310796    /lib/libexpat.so.1.5.2
008af000-008b1000 r--p 00024000 08:03 1310796    /lib/libexpat.so.1.5.2
008b1000-008b2000 rw-p 00026000 08:03 1310796    /lib/libexpat.so.1.5.2
008b2000-008c0000 r-xp 00000000 08:03 3436539    /usr/lib/libXext.so.6.4.0
008c0000-008c1000 r--p 0000d000 08:03 3436539    /usr/lib/libXext.so.6.4.0
008c1000-008c2000 rw-p 0000e000 08:03 3436539    /usr/lib/libXext.so.6.4.0
08048000-080ab000 r-xp 00000000 08:05 1606229    /home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc
080ac000-080ad000 r--p 00063000 08:05 1606229    /home/tdlk/src/build-dir/htmldoc-1.8.27/htmldoc/htmldoc
Program received signal SIGABRT, Aborted.
0x0012e416 in __kernel_vsyscall ()
(gdb) backtrace
#0  0x0012e416 in __kernel_vsyscall ()
#1  0x0053d941 in raise () from /lib/libc.so.6
#2  0x00540e42 in abort () from /lib/libc.so.6
#3  0x00575305 in ?? () from /lib/libc.so.6
#4  0x005f8990 in __fortify_fail () from /lib/libc.so.6
#5  0x005f788a in __chk_fail () from /lib/libc.so.6
#6  0x005f6c04 in __strcpy_chk () from /lib/libc.so.6
#7  0x08077f17 in strcpy (page=0, type=0, x=59.7116394, y=373.745575, width=367.576721, 
    height=19.0079994, data=<value optimised out>, insert=0x0) at /usr/include/bits/string3.h:107
#8  new_render (page=0, type=0, x=59.7116394, y=373.745575, width=367.576721, height=19.0079994, 
    data=<value optimised out>, insert=0x0) at ps-pdf.cxx:8618
#9  0x0808e337 in pspdf_export (document=0x8119b20, toc=0x8331e40) at ps-pdf.cxx:721
#10 0x08062a54 in main (argc=<value optimised out>, argv=0xbffff0f4) at htmldoc.cxx:1294

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2010-12-10:

#2

8617 // Safe because buffer is allocated...
8618 strcpy((char *)r->data.text.buffer, (char *)data);

Will investigate further =)

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2010-12-13:

#3

Reported upstream - http://www.htmldoc.org/str.php?L235

Revision history for this message

StefanPotyra (sistpoty) wrote on 2010-12-14:

#4

From a quick glimpse, the code should be correct.

What's happening here is that FORITFY_SOURCE will replace strcpy with a function similar to strncpy(.., .., target buffer size). Target buffer size is taken from the structure definition, and hence is 1 (buffer is uchar[1]). That's wrong, since the calloc on line 8593 has already allocated enough space.

Revision history for this message

StefanPotyra (sistpoty) wrote on 2010-12-14:

#5

Kees, any good ideas?

Revision history for this message

Kees Cook (kees) wrote on 2010-12-14:

#6

The problem is the use of "strcpy" instead of "strncpy". The code should be modified to include the expected malloced string size for such a strncpy call.

Dimitri John Ledkov (xnox) on 2010-12-16

summary:

- Buffer Overflow happens over it's own documentation when compiled with
- -O2
+ FTBFS with FORTIFY_SOURCES

Revision history for this message

Dimitri John Ledkov (xnox) wrote on 2010-12-16:

#7

Hmm strncpy didn't work, but memcpy does. OpenSUSE had memcpy before me =) kudos to them. Branch ready to be merged and uploaded.

Revision history for this message

StefanPotyra (sistpoty) wrote on 2010-12-17:

#8

patch looks good, but please document changing to use dh-autoreconf in changelog. I've added that prior to uploading.

Uploaded, thanks for your contribution.

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-12-17:

#9

This bug was fixed in the package htmldoc - 1.8.27-4.1ubuntu1

---------------
htmldoc (1.8.27-4.1ubuntu1) natty; urgency=low

  * Fix FTBFS on natty (LP: #687976):
    - Added X11 to libs
    - Switch to dh-autoreconf
    - Make subdir makes fail the build
    - Use memcpy instead of strcpy, fixes FTBFS with FORTIFY (LP: #688730),
      patch from openSUSE same license as the package.
-- Dmitrijs Ledkovs <email address hidden> Fri, 10 Dec 2010 14:27:39 +0000

Changed in htmldoc (Ubuntu):
status:	New → Fix Released

Revision history for this message

Dave Walker (davewalker) wrote on 2011-07-15:

#10

Was this patch ever pushed back to Debian?.. I can't see the bug.

Revision history for this message

StefanPotyra (sistpoty) wrote on 2011-07-15:

#11

Partially: DBTS: #554803.

Also there's the upstream bug report, see comment 3.

I think it might be worthwhile to check if changing buffer to a variable sized array will lead to improvements (htmldoc/ps-pdf.cxx:205).

Revision history for this message

StefanPotyra (sistpoty) wrote on 2011-07-15:

#12

Oh, forgot to mention, looking at debian source package 1.8.27-5 right now.

Dave Walker (davewalker) on 2012-05-17

Changed in htmldoc (Ubuntu Natty):
status:	New → Fix Released
Changed in htmldoc (Ubuntu Quantal):
status:	Fix Released → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-05-17:

#13

This bug was fixed in the package htmldoc - 1.8.27-8ubuntu1

---------------
htmldoc (1.8.27-8ubuntu1) quantal; urgency=low

   * debian/patches/strcpy-to-memcpy-fix-ftbfs.patch: Use memcpy instead of
     strcpy, resolves FTBFS when FORTIFY is used. Patch cherry picked from
     upstream tracker, based on previously directly applied changes to
     1.8.27-4.1ubuntu1. (LP: #688730)

htmldoc (1.8.27-8) unstable; urgency=low

* Use dpkg-buildflags if available.
* Update Standards-Version.

htmldoc (1.8.27-7) unstable; urgency=low

* Add patch from upstream bug tracker to fix libpng 1.5 builds.
Closes: #650562.

htmldoc (1.8.27-6) unstable; urgency=low

  * Add build-arch and build-indep to debian/rules per the
    (potential?) release goal for wheezy.
  * Update Standards-Version.

htmldoc (1.8.27-5) unstable; urgency=low

  * Acknowledge and pull in security team NMU. Closes: #537637.
  * Switch to 3.0 (quilt) source format, and separate patches.
  * Tweak build system to produce more useful information on build
    failures.
  * Build-Depend on libxpm-dev to fix a FTBFS with newer X11 dev packages.
    Closes: #554803.
  * Fix lintian warnings.
-- Dave Walker (Daviey) <email address hidden> Thu, 17 May 2012 23:02:28 +0100

Changed in htmldoc (Ubuntu Quantal):
status:	In Progress → Fix Released

	Status	Importance	Assigned to
htmldoc (Ubuntu)	Fix Released	Undecided	Unassigned
Natty	Fix Released	Undecided	Unassigned
Quantal	Fix Released	Undecided	Unassigned

Ubuntu
htmldoc package

FTBFS with FORTIFY_SOURCES

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntuhtmldoc package

FTBFS with FORTIFY_SOURCES

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
htmldoc package